product manual 225

7/24/2019 Product Manual 225

1/349

SecFlow-2Ruggedized SCADA-Aware Ethernet

Switch/Router

Version 3.1

INSTALLATIONAND

USER

GUIDE


2/349


3/349


4/349

Installation and Operation Manual

ii SecFlow-2 Ver.3.10

Limited Warranty

RAD warrants to DISTRIBUTOR that the hardware in the SecFlow-2 to be delivered hereundershall be free of defects in material and workmanship under normal use and service for a periodof twelve (12) months following the date of shipment to DISTRIBUTOR.

If, during the warranty period, any component part of the equipment becomes defective byreason of material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect,RAD shall have the option to choose the appropriate corrective action: a) supply a replacementpart, or b) request return of equipment to its plant for repair, or c) perform necessary repair atthe equipment's location. In the event that RAD requests the return of equipment, each partyshall pay one-way shipping costs.

RAD shall be released from all obligations under its warranty in the event that the equipment hasbeen subjected to misuse, neglect, accident or improper installation, or if repairs ormodifications were made by persons other than RAD's own authorized service personnel, unlesssuch repairs by others were made with the written consent of RAD.

The above warranty is in lieu of all other warranties, expressed or implied. There are nowarranties which extend beyond the face hereof, including, but not limited to, warranties of

merchantability and fitness for a particular purpose, and in no event shall RAD be liable forconsequential damages.

RAD shall not be liable to any person for any special or indirect damages, including, but notlimited to, lost profits from any cause whatsoever arising from or in any way connected with themanufacture, sale, handling, repair, maintenance or use of the SecFlow-2, and in no event shallRAD's liability exceed the purchase price of the SecFlow-2.

DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makesrelating to SecFlow-2 and for ensuring that replacements and other adjustments required inconnection with the said warranties are satisfactory.

Software components in the SecFlow-2 are provided "as is" and without warranty of any kind.RAD disclaims all warranties including the implied warranties of merchantability and fitness for aparticular purpose. RAD shall not be liable for any loss of use, interruption of business orindirect, special, incidental or consequential damages of any kind. In spite of the above RADshall do its best to provide error-free software products and shall offer free Software updatesduring the warranty period under this Agreement.

RAD's cumulative liability to you or any other party for any loss or damages resulting from anyclaims, demands, or actions arising out of or relating to this Agreement and the SecFlow-2 shallnot exceed the sum paid to RAD for the purchase of the SecFlow-2. In no event shall RAD beliable for any indirect, incidental, consequential, special, or exemplary damages or lost profits,even if RAD has been advised of the possibility of such damages.

This Agreement shall be construed and governed in accordance with the laws of the State ofIsrael.

Product Disposal

To facilitate the reuse, recycling and other forms of recovery of wasteequipment in protecting the environment, the owner of this RAD product isrequired to refrain from disposing of this product as unsorted municipal waste atthe end of its life cycle. Upon termination of the units use, customers shouldprovide for its collection for reuse, recycling or other form of environmentallyconscientious disposal.


5/349


SecFlow-2 Ver.3.10 iii

General Safety Instructions

The following instructions serve as a general guide for the safe installation and operation oftelecommunications products. Additional instructions, if applicable, are included inside themanual.

Safety Symbols

This symbol may appear on the equipment or in the text. It indicates

potential safety hazards regarding product operation or maintenance to

operator or service personnel.

Danger of electric shock Avoid any contact with the marked surface while

the product is energized or connected to outdoor telecommunication lines.

Protective ground: the marked lug or terminal should be connected to thebuilding protective ground bus.

Some products may be equipped with a laser diode. In such cases, a label

with the laser class and other warnings as applicable will be attached near

the optical transmitter. The laser warning symbol may be also attached.

Please observe the following precautions:

Before turning on the equipment, make sure that the fiber optic cable is

intact and is connected to the transmitter.

Do not attempt to adjust the laser drive current.

Do not use broken or unterminated fiber-optic cables/connectors or look

straight at the laser beam.

The use of optical devices with the equipment will increase eye hazard.

Use of controls, adjustments or performing procedures other than those

specified herein, may result in hazardous radiation exposure.

ATTENTION: The laser beam may be invisible

In some cases, the users may insert their own SFP laser transceivers into the product. Users arealerted that RAD cannot be held responsible for any damage that may result if non-compliant

transceivers are used. In particular, users are warned to use only agency approved products thatcomply with the local laser safety regulations for Class 1 laser products.

Always observe standard safety precautions during installation, operation and maintenance ofthis product. Only qualified and authorized service personnel should carry out adjustment,maintenance or repairs to this product. No installation, adjustment, maintenance or repairsshould be performed by either the operator or the user.

Warning

Warning


6/349


iv SecFlow-2 Ver.3.10

Handling Energized Products

General Safety Practices

Do not touch or tamper with the power supply when the power cord is connected. Line voltagesmay be present inside certain products even when the power switch (if installed) is in the OFFposition or a fuse is blown. For DC-powered products, although the voltages levels are usuallynot hazardous, energy hazards may still exist.

Before working on equipment connected to power lines or telecommunication lines, removejewelry or any other metallic object that may come into contact with energized parts.

Unless otherwise specified, all products are intended to be grounded during normal use.Grounding is provided by connecting the mains plug to a wall socket with a protective groundterminal. If a ground lug is provided on the product, it should be connected to the protectiveground at all times, by a wire with a diameter of 18 AWG or wider. Rack-mounted equipmentshould be mounted only in grounded racks and cabinets.

Always make the ground connection first and disconnect it last. Do not connect

telecommunication cables to ungrounded equipment. Make sure that all other cables aredisconnected before disconnecting the ground.

Some products may have panels secured by thumbscrews with a slotted head. These panels maycover hazardous circuits or parts, such as power supplies. These thumbscrews should thereforealways be tightened securely with a screwdriver after both initial installation and subsequentaccess to the panels.

Connecting AC Mains

Make sure that the electrical installation complies with local codes.

Always connect the AC plug to a wall socket with a protective ground.

The maximum permissible current capability of the branch distribution circuit that supplies powerto the product is 16A (20A for USA and Canada). The circuit breaker in the building installationshould have high breaking capacity and must operate at short-circuit current exceeding 35A (40Afor USA and Canada).

Always connect the power cord first to the equipment and then to the wall socket. If a powerswitch is provided in the equipment, set it to the OFF position. If the power cord cannot bereadily disconnected in case of emergency, make sure that a readily accessible circuit breaker oremergency switch is installed in the building installation.

In cases when the power distribution system is IT type, the switch must disconnect both polessimultaneously.

Connecting DC Power

Unless otherwise specified in the manual, the DC input to the equipment is floating in referenceto the ground. Any single pole can be externally grounded.

Due to the high current capability of DC power systems, care should be taken when connectingthe DC supply to avoid short-circuits and fire hazards.

Make sure that the DC power supply is electrically isolated from any AC source and that theinstallation complies with the local codes.


7/349


SecFlow-2 Ver.3.10 v

The maximum permissible current capability of the branch distribution circuit that supplies powerto the product is 16A (20A for USA and Canada). The circuit breaker in the building installationshould have high breaking capacity and must operate at short-circuit current exceeding 35A (40Afor USA and Canada).

Before connecting the DC supply wires, ensure that power is removed from the DC circuit. Locatethe circuit breaker of the panel board that services the equipment and switch it to the OFF

position. When connecting the DC supply wires, first connect the ground wire to thecorresponding terminal, then the positive pole and last the negative pole. Switch the circuitbreaker back to the ON position.

A readily accessible disconnect device that is suitably rated and approved should be incorporatedin the building installation.

If the DC power supply is floating, the switch must disconnect both poles simultaneously.

Connecting Data and Telecommunications Cables

Data and telecommunication interfaces are classified according to their safety status.

The following table lists the status of several standard interfaces. If the status of a given port

differs from the standard one, a notice will be given in the manual.

Ports Safety Status

V.11, V.28, V.35, V.36, RS-530, X.21,10 BaseT, 100 BaseT, Unbalanced E1,E2, E3, STM, DS-2, DS-3, S-InterfaceISDN, Analog voice E&M

SELV Safety Extra Low Voltage:

Ports which do not present a safety hazard. Usuallyup to 30 VAC or 60 VDC.

xDSL (without feeding voltage),Balanced E1, T1, Sub E1/T1

TNV-1 Telecommunication Network Voltage-1:

Ports whose normal operating voltage is within thelimits of SELV, on which overvoltages from

telecommunications networks are possible.

FXS (Foreign Exchange Subscriber) TNV-2 Telecommunication Network Voltage-2:

Ports whose normal operating voltage exceeds thelimits of SELV (usually up to 120 VDC or telephoneringing voltages), on which overvoltages fromtelecommunication networks are not possible. Theseports are not permitted to be directly connected toexternal telephone and data lines.

FXO (Foreign Exchange Office), xDSL(with feeding voltage), U-InterfaceISDN

TNV-3 Telecommunication Network Voltage-3:

Ports whose normal operating voltage exceeds thelimits of SELV (usually up to 120 VDC or telephoneringing voltages), on which overvoltages fromtelecommunication networks are possible.

Always connect a given port to a port of the same safety status. If in doubt, seek the assistance

of a qualified safety engineer.

Always make sure that the equipment is grounded before connecting telecommunication cables.Do not disconnect the ground connection before disconnecting all telecommunications cables.

Some SELV and non-SELV circuits use the same connectors. Use caution when connecting cables.Extra caution should be exercised during thunderstorms.


8/349


vi SecFlow-2 Ver.3.10

When using shielded or coaxial cables, verify that there is a good ground connection at bothends. The grounding and bonding of the ground connections should comply with the local codes.

The telecommunication wiring in the building may be damaged or present a fire hazard in case ofcontact between exposed external wires and the AC power lines. In order to reduce the risk,there are restrictions on the diameter of wires in the telecom cables, between the equipmentand the mating connectors.

To reduce the risk of fire, use only No. 26 AWG or larger telecommunicationline cords.

Pour rduire les risques sincendie, utiliser seulement des conducteurs detlcommunications 26 AWG ou de section suprieure.

Some ports are suitable for connection to intra-building or non-exposed wiring or cabling only. Insuch cases, a notice will be given in the installation instructions.

Do not attempt to tamper with any carrier-provided equipment or connection hardware.

Electromagnetic Compatibility (EMC)

The equipment is designed and approved to comply with the electromagnetic regulations ofmajor regulatory bodies. The following instructions may enhance the performance of theequipment and will provide better protection against excessive emission and better immunityagainst disturbances.

A good ground connection is essential. When installing the equipment in a rack, make sure toremove all traces of paint from the mounting points. Use suitable lock-washers and torque. If anexternal grounding lug is provided, connect it to the ground bus using braided wire as short aspossible.

The equipment is designed to comply with EMC requirements when connecting it with unshieldedtwisted pair (UTP) cables. However, the use of shielded wires is always recommended, especiallyfor high-rate data. In some cases, when unshielded wires are used, ferrite cores should beinstalled on certain cables. In such cases, special instructions are provided in the manual.

Disconnect all wires which are not in permanent use, such as cables used for one-timeconfiguration.

The compliance of the equipment with the regulations for conducted emission on the data linesis dependent on the cable quality. The emission is tested for UTP with 80 dB longitudinalconversion loss (LCL).

Unless otherwise specified or described in the manual, TNV-1 and TNV-3 ports provide secondaryprotection against surges on the data lines. Primary protectors should be provided in the building

installation.The equipment is designed to provide adequate protection against electro-static discharge (ESD).However, it is good working practice to use caution when connecting cables terminated withplastic connectors (without a grounded metal hood, such as flat cables) to sensitive data lines.Before connecting such cables, discharge yourself by touching ground or wear an ESD preventivewrist strap.

Caution

Attention


9/349


SecFlow-2 Ver.3.10 vii

FCC-15 User Information

This equipment has been tested and found to comply with the limits of the Class A digital device,pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protectionagainst harmful interference when the equipment is operated in a commercial environment. This

equipment generates, uses and can radiate radio frequency energy and, if not installed and usedin accordance with the Installation and Operation manual, may cause harmful interference to theradio communications. Operation of this equipment in a residential area is likely to cause harmfulinterference in which case the user will be required to correct the interference at his ownexpense.

Canadian Emission Requirements

This Class A digital apparatus meets all the requirements of the Canadian Interference-CausingEquipment Regulation.

Cet appareil numrique de la classe A respecte toutes les exigences du Rglement sur le matriel

brouilleur du Canada.

Warning per EN 55022 (CISPR-22)

This is a class A product. In a domestic environment, this product may causeradio interference, in which case the user will be required to take adequatemeasures.

Cet appareil est un appareil de Classe A. Dans un environnement rsidentiel,cet appareil peut provoquer des brouillages radiolectriques. Dans ces cas, ilpeut tre demand lutilisateur de prendre les mesures appropries.

Das vorliegende Gert fllt unter die Funkstrgrenzwertklasse A. InWohngebieten knnen beim Betrieb dieses Gertes Rundfunkstrrungenauftreten, fr deren Behebung der Benutzer verantwortlich ist.

Warning

Avertissement

Achtung


10/349

Front Matter Installation and Operation Manual

viii SecFlow-2 Ver.3.10

F

i

Mise au rebut du produit

Afin de faciliter la rutilisation, le recyclage ainsi que d'autres formes dercupration d'quipement mis au rebut dans le cadre de la protection del'environnement, il est demand au propritaire de ce produit RAD de ne pas

mettre ce dernier au rebut en tant que dchet municipal non tri, une fois que leproduit est arriv en fin de cycle de vie. Le client devrait proposer des solutionsde rutilisation, de recyclage ou toute autre forme de mise au rebut de cetteunit dans un esprit de protection de l'environnement, lorsqu'il aura fini del'utiliser.

Instructions gnrales de scurit

Les instructions suivantes servent de guide gnral d'installation et d'opration scurises desproduits de tlcommunications. Des instructions supplmentaires sont ventuellementindiques dans le manuel.

Symboles de scurit

Ce symbole peut apparaitre sur l'quipement ou dans le texte. Il indique des

risques potentiels de scurit pour l'oprateur ou le personnel de service,

quant l'opration du produit ou sa maintenance.

Danger de choc lectrique Evitez tout contact avec la surface marque

tant que le produit est sous tension ou connect des lignes externes de

tlcommunications.

Mise la terre de protection : la cosse ou la borne marque devrait treconnecte la prise de terre de protection du btiment.

Avertissement


11/349

Installation and Operation Manual Front Matter

SecFlow-2 Ver.3.10 ix

Certains produits peuvent tre quips d'une diode laser. Dans de tels cas,

une tiquette indiquant la classe laser ainsi que d'autres avertissements, le

cas chant, sera jointe prs du transmetteur optique. Le symbole

d'avertissement laser peut aussi tre joint.

Veuillez observer les prcautions suivantes :

Avant la mise en marche de l'quipement, assurez-vous que le cble de

fibre optique est intact et qu'il est connect au transmetteur.

Ne tentez pas d'ajuster le courant de la commande laser.

N'utilisez pas des cbles ou connecteurs de fibre optique casss ou sans

terminaison et n'observez pas directement un rayon laser.

L'usage de priphriques optiques avec l'quipement augmentera le

risque pour les yeux.

L'usage de contrles, ajustages ou procdures autres que celles

spcifies ici pourrait rsulter en une dangereuse exposition aux

radiations.

ATTENTION : Le rayon laser peut tre invisible

Les utilisateurs pourront, dans certains cas, insrer leurs propres metteurs-rcepteurs Laser SFPdans le produit. Les utilisateurs sont avertis que RAD ne pourra pas tre tenue responsable detout dommage pouvant rsulter de l'utilisation d'metteurs-rcepteurs non conformes. Plusparticulirement, les utilisateurs sont avertis de n'utiliser que des produits approuvs parl'agence et conformes la rglementation locale de scurit laser pour les produits laser declasse 1.

Respectez toujours les prcautions standards de scurit durant l'installation, l'opration et lamaintenance de ce produit. Seul le personnel de service qualifi et autoris devrait effectuerl'ajustage, la maintenance ou les rparations de ce produit. Aucune opration d'installation,d'ajustage, de maintenance ou de rparation ne devrait tre effectue par l'oprateur oul'utilisateur.

Manipuler des produits sous tension

Rgles gnrales de scurit

Ne pas toucher ou altrer l'alimentation en courant lorsque le cble d'alimentation est branch.Des tensions de lignes peuvent tre prsentes dans certains produits, mme lorsque lecommutateur (s'il est install) est en position OFF ou si le fusible est rompu. Pour les produitsaliments par CC, les niveaux de tension ne sont gnralement pas dangereux mais des risquesde courant peuvent toujours exister.

Avant de travailler sur un quipement connect aux lignes de tension ou de tlcommunications,retirez vos bijoux ou tout autre objet mtallique pouvant venir en contact avec les pices soustension.

Sauf s'il en est autrement indiqu, tous les produits sont destins tre mis la terre durantl'usage normal. La mise la terre est fournie par la connexion de la fiche principale une prisemurale quipe d'une borne protectrice de mise la terre. Si une cosse de mise la terre estfournie avec le produit, elle devrait tre connecte tout moment une mise la terre deprotection par un conducteur de diamtre 18 AWG ou plus. L'quipement mont en chssis nedevrait tre mont que sur des chssis et dans des armoires mises la terre.

Branchez toujours la mise la terre en premier et dbranchez-la en dernier. Ne branchez pas descbles de tlcommunications un quipement qui n'est pas mis la terre. Assurez-vous quetous les autres cbles sont dbranchs avant de dconnecter la mise la terre.

Avertissement


12/349

Front Matter Installation and Operation Manual

x SecFlow-2 Ver.3.10

F

i

Connexion au courant du secteur

Assurez-vous que l'installation lectrique est conforme la rglementation locale.

Branchez toujours la fiche de secteur une prise murale quipe d'une borne protectrice de mise la terre.

La capacit maximale permissible en courant du circuit de distribution de la connexion alimentantle produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation dubtiment devrait avoir une capacit leve de rupture et devrait fonctionner sur courant decourt-circuit dpassant 35A (40A aux Etats-Unis et Canada).

Branchez toujours le cble d'alimentation en premier l'quipement puis la prise murale. Si uncommutateur est fourni avec l'quipement, fixez-le en position OFF. Si le cble d'alimentation nepeut pas tre facilement dbranch en cas d'urgence, assurez-vous qu'un coupe-circuit ou undisjoncteur d'urgence facilement accessible est install dans l'installation du btiment.

Le disjoncteur devrait dconnecter simultanment les deux ples si le systme de distribution decourant est de type IT.

Connexion d'alimentation CC

Sauf s'il en est autrement spcifi dans le manuel, l'entre CC de l'quipement est flottante parrapport la mise la terre. Tout ple doit tre mis la terre en externe.

A cause de la capacit de courant des systmes alimentation CC, des prcautions devraienttre prises lors de la connexion de l'alimentation CC pour viter des courts-circuits et des risquesd'incendie.

Assurez-vous que l'alimentation CC est isole de toute source de courant CA (secteur) et quel'installation est conforme la rglementation locale.

La capacit maximale permissible en courant du circuit de distribution de la connexion alimentantle produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation dubtiment devrait avoir une capacit leve de rupture et devrait fonctionner sur courant decourt-circuit dpassant 35A (40A aux Etats-Unis et Canada).

Avant la connexion des cbles d'alimentation en courant CC, assurez-vous que le circuit CC n'estpas sous tension. Localisez le coupe-circuit dans le tableau desservant l'quipement et fixez-leen position OFF. Lors de la connexion de cbles d'alimentation CC, connectez d'abord leconducteur de mise la terre la borne correspondante, puis le ple positif et en dernier, leple ngatif. Remettez le coupe-circuit en position ON.

Un disjoncteur facilement accessible, adapt et approuv devrait tre intgr l'installation dubtiment.

Le disjoncteur devrait dconnecter simultanment les deux ples si l'alimentation en courant CCest flottante.


13/349

SecFlow-2 Ver.1.00 i

Contents

Installation Guide

Chapter 1 Introduction

Chapter 2 Key FeaturesChapter 3 Using This Document

Chapter 4 Safety Information

User Guide

Chapter 1 Introduction

Chapter 2 System

Chapter 3 Ports

Chapter 4 MAC-Address Table (FDB)

Chapter 5 VLAN and IP Interface

Chapter 6 SNTP

Chapter 7 QOS

Chapter 8 CFM

Chapter 9 Resiliency

Chapter 10 Spanning Tree and Routing

Chapter 11 Applicatio n IP Interface

Chapter 12 Management

Chapter 13 Transparent Tunneling

Chapter 14 Protocol Gateway IEC 101 to IEC 104Chapter 15 Protocol Gateway TG800 to IEC 104

Chapter 16 Discrete IO Tunneling

Chapter 17 VPN


14/349

SecFlow-2

Ruggedized SCADA-

Aware EthernetSwitch/Router

Installation Guide


15/349

Installation Guide

1-2 SecFlow-2 Ver.3.10

Chapter 1

Introduction

The SecFlow-2 ruggedized SCADA-aware industrial Ethernet switches combine a

ruggedized Ethernet platform with a unique application-aware processing engine.

As an Industrial Ethernet switch the SecFlow-2 provides a strong Ethernet and IP

feature-set with a special emphasis on the fit to the mission-critical industrial

environment such as fit to the harsh environment, high reliability and network

resiliency.

In addition the SecFlow-2 switches have unique service-aware capabilities that

enable an integrated handling of application-level requirements such as

implementation of security measures.

Such an integrated solution results in simple network architecture with anoptimized fit to the application requirements.


16/349

Installation Guide

SecFlow-2 Ver.3.10 2-3

Chapter 2

Key Features

The SecFlow-2 devices offer the following features:

Wire speed, non-blocking Layer 2 switching

High-density modular system

Advanced Ethernet and IP feature-set

Application-aware firewall per port

Integrated VPN agent

Fit to harsh industrial environment

Supported by a dedicated industrial service management tool (iSIM) Multiple interfaces types


17/349

Installation Guide


Chapter 3

Using This Document

Documentation Purpose

This user guide includes the relevant information for configuring then SecFlow-2

functionalities.

It provides overview syntax for the commands available in the currently-

supported software version and describes the features supplied with the device.

Intended Audience

This user guide is intended for network administrators responsible for installing

and configuring network equipment.

Users must be familiar with the concepts and terminology of Ethernet and local

area networking (LAN) to use this User Guide.

Documentation Suite

This document is just one part of the full documentation suite provided with this

product.

Document Function

Initial setup guide Provided with the device in the box. Immediate informationrequired for power up and management availability.

Installation Guide Contains information about installing the hardware and

software; including site preparation, testing, and safety

information.

User Guide Contains information on configuring and using the system.

Quick User Guide Contains basic information on configuring and using the system

for most common uses and features.

Conventions Used

The conventions below are used to inform important information:

Indicating special information to which the user needs to pay special attention.

Indicating special instructions to avoid possible damage to the product.

Note

Caution


18/349

Installation Guide


Indicating special instructions to avoid possible injury or death.

The table below explains the conventions used within the document text:

Conventions Description

commands CLI and SNMP commands

command example CLI and SNMP examples

user-defined variables

[Optional Command Parameters] CLI syntax and coded examples

Warning


19/349

Installation Guide


Chapter 4

Safety Information

4.1

Safety Information

Danger of electric shock Avoid any contact with the marked surface while the

product is energized or connected to outdoor telecommunication lines.

Protective earth: the marked lug or terminal should be connected to the buildingprotective earth bus.

LINE VOLTAGE

Before connecting the product to the power line, make sure the voltage of the

power source matches the requirements of the product, as marked on the label

located near the power connectors.

SecFlow-2 includes Class 1 lasers. For your safety:

Do not look directly into the optical connectors while the unit is operating.

The laser beams are invisible.

Do not attempt to adjust the laser drive current.

The use of optical instruments with this product will increase eye hazard. Laser

power up to 1 mW at 1300 nm and 1550 nm could be collected by an optical

instrument.

Use of controls or adjustment or performing procedures other than those

specified herein may result in hazardous radiation exposure.

This equipment contains Electrostatic Discharge (ESD) sensitive components. Use

ESD protection before servicing or installing components of this system.

Warning

Warning

Caution


20/349

Installation Guide


Changes or modifications made to this device that are not expressly approved by

the party responsible for compliance could void the users authority to operate

the equipment.

Remove the power cord from a power-supply unit before installing it or remove itfrom the device. Otherwise, as a result, the power supply or the device could be

damaged. (The device can be running while a power supply is being installed or

removed, but the power supply itself should not be connected to a power

source.)

The unit is designated to operate in environments of up to 70 degrees ambient

temperature.

For AC units, under some conditions the housing of the unit might get hot and

direct touch should avoid.

4.2 System Description

SecFlow-2 is a compact switch with high capability in terms of L2/L3 switching

and secure servicing of industrial protocols.

That includes inside the housing the power supply module, main switching unit,

IO interface modules and optionally an additional communication interface of

xDSL or WiFi modems.

Power Supply ModuleAvailable power input versions and their respective current consumption:

Command Max current [A]

Version without POE ports

Max current [A]

Version with POE ports

24vDC 1.3 4

48vDC 0.7 2

110vDC 0.3 0.8

220vDC 0.15 0.4

110vAC 0.4 1.2

220vAC 0.2 0.6

For the DC versions two inputs for external sources are available, allowing power

redundancy to the unit.

AC Power variants hold double pole/neutral fusing

Caution

Caution

Caution

Caution


21/349

Installation Guide


Input Circuit Protection

Following are maximum values of upstream fuse / circuit breaker protection:

Command Max current [A]

24vDC 10

48vDC 5

110vDC 2.5

220vDC 1.2

110vAC 6

220vAC 6

Main Switch

The Main Switch module is responsible for:

Switch management.

L2 switching.

L3 routing.

Application aware firewall and special services.

Interfaces on this module are:

Ethernet Copper RJ45 ports

SFP FO ports.

Serial console RJ45 port.

USB management port.

I/O Interface

The I/O card is holding the following user and network interfaces:

Serial Asynchrony RS232 ports.

Discrete IO inputs / outputs.

Cellular GPRS/UMTS modem.

Power connectors for DC versions.

Communication module

This is an ordering option of the device for the following interfaces:

WiFi Access Point interface.

SHDSL modem.

AC power input connector.


22/349

Installation Guide


4.3 Installing SecFlow-2

This section includes the relevant information for installing the device.

Package Contents

The SecFlow-2 package includes the following items:

SecFlow-2 module

1x RS-232 console cable (white cable, CBL-SF-RJ45-CONSOLE)

Optional,1x RS-232 user port cable (gray cable, CBL-RJ45/DB9/NULL)

First installation guide

Unpacking

The package contents are factory tested and inspected prior to shipment,

however keep the shipping package until the device is installed and verified asoperational. In case of damage to the device during shipment, contact support.

Mounting SecFlow-2

The SecFlow-2 is designed as a fixed unit that is connected in its rear side to an

industry standard DIN rail and is setup with the DIN-rail mount as the default

setup.

Mounting for DIN Rail

These mounting instructions assume that a standard DIN rail has been previouslyinstalled. If one has not then use the installation instructions that come with the

DIN rail to mount the DIN rail on the wall.

Locate on the back of the device the DIN mounting brackets.

To Assemble:

Position the module with the DIN rail guide on the upper edge of the DIN rail, and

snap it in with a downward motion.


23/349

Installation Guide


To Remove:

Pull the snap lever open with the aid of a screwdriver and slide the module out at

the lower edge of the DIN rail.

Please observe product installation must be vertical so that bottom side of the

device must face downwards towards the floor to enable proper natural air flow

Distance Kept For Natural Air Flow

Proper installation requires keeping 10cm distance from top and bottom between

the SecFlow-2 switch to any other neighbor device for proper cooling using

natural air flow.

Caution


24/349

Installation Guide


10 cm above and below kept clear

10 cm above and below kept clear


25/349

Installation Guide


Grounding

To install the grounding wire:

1. Prepare a minimum 10 American Wire Gauge (AWG) grounding wire

terminated by a crimped two-hole lug with hole diameter and spacing as

shown in the below figure. Use a suitable crimping tool to fasten the lug

securely to the wire. Adhere to your companys policy as to the wire gaugeand the number of crimps on the lug.

2. Apply some anti-oxidant onto the metal surface.

3. Mount the lug on the grounding posts, replace the spring-washers and fasten

the bolts. Avoid using excessive torque.

Do not remove the earth connection unless all power supply connections are

disconnected.

Before connecting power to the platform, make sure that the grounding posts

are firmly connected to a reliable ground, as described below.

Battery Maintanace

The system has an integrated battery used for backup of certain system values

like time.

Risk of explosion if battery is replaced by an incorrect type.

Battery replacement should be done by the manufacturer or an authorized party

on its behalf.

10 AWG

Caution

Caution


26/349

Installation Guide


4.4 Connecting to a Power Source

To Wire the DC Input voltage connector:

Input voltage can be either AC or DC depending on the specific module you

purchased. Please take care to notice the label on the back of the module.

For the DC version there are 2 connection inputs, marked as "PWR A" and "PWRB". For proper operation it is only necessary to connect one power source, either

to "PWR A" or to "PWR B". However, for redundancy purposes you may connect 2

different power sources one at "PWR A" and the second to "PWR B".

For wiring the voltage, an opposite plug connector (2 pcs) is supplied.

To wire of the plug connector:

To wire the AC Input voltage connector:

For an AC product variant there is a single input connector.

Use a Brown wire for the Line (Phase) conductor, a Green/Yellow for thegrounding and a Blue wire for the Neutral conductor. use 18AWG(1mm

2) wire, withinsulated ferrules.

Wiring of the plug connector:

Use a grounding wire of at least 10 American Wire Gauge (AWG).

Attach the 10 AWG wire to an agency-approved crimp connector, crimped with

the proper tool. The crimp connector should be secured to both ground screws

on the enclosure.

Caution


27/349

Installation Guide


For the input circuit to the system, make sure there is a proper circuit protection,

on the input to the terminal block. Max current consumption for each product

variant is given in this document.

The unit does not have a Power On/Off button and is automatically turned on

when the cabling is completed and the power to the feed line is turned on.

Before wiring the power plug or connecting power to the device, verify that the

power to the feed lines is turned off at the supply circuit-breaker or

disconnected from the power bus.

4.5

The Switch LED indicators

Table 4-1. Name of Table

Interface Status Meaning

PWR Off

Green

No power

Power on

Eth 1-8

Link LED

Off

Green

Port administratively Disable or no link

connected to it

Enable and link up

Eth 1-8

ACT LED

Off

Yellow (blinking)

Port administratively Disable or no link

connected to it

Traffic

SFP Off

Red

Green (static)

Green (blinking)

Port administratively Disable Enable,

no SFP present

SFP present

Traffic

Serial 1-4

Link LED

Off

Green

Disable

Enable

Serial 1-4

Link LED

Off

Yellow (blinking)

No traffic

Traffic

Cellular C1 Off

Green

Green (blinking)

GPRS disable

SIM inserted GPRS enabled

SIM connected/Traffic

Run Off

Red

Green (blinking)

Green

No power or in early boot stage

Faulty

During start-up

Normal operation,system up

Alm Off

Red

System processes ok

A System process alarm

Caution

Warning


28/349

Installation Guide


4.6 Switch Configuration

Connecting to the Console Port

To Connect the device to a PC using the Console Port:

1.

Connect the RJ-45 connector of the console cable to the device's Console

Port (CON).

The console cable is colored whiteand is supplied with the device.

Other serial greycables which might be supplied with the device are for use

with the user serial port and should not be connected to the console port.

2. Connect the other side of the cable to the PC com port.

3. Configure the PC com port to 15200-N-8-1 (15200 bps, no parity,8 data

bits, 1 stop bit, no flow control) and connect.

Serial port at the switch DB-9 female connector for end device

Default user name : root

Default password : admin123

4.7 Using the Command Line Interface (CLI)

The CLI is a network management application operated through an ASCII terminal.

Note


29/349

Installation Guide


Using the CLI commands, users can configure the device parameters and maintain

them, receiving text output on the terminal monitor. These system parameters

are stored in a non-volatile memory and users have to set them up only once

The device CLI is password protected.

Accessing the CLI

Accessing the CLI:

Direct connection of a PC to the devices console port

Telnet or SSH over an IP network

Once the console port is displayed, use the administrator username and

password to access the CLI.

The CLI Modes

The CLI is structured from hierarchical modes, each mode grouping relevant CLI

commands.

Its top level modes are:

Operational mode

Configuration mode

Application mode

Operational Mode

This is the initial mode that the CLI enters after a successful login to the CLI.

3180#

The Operational mode is primarily used for:

viewing the system status

controlling the CLI environment

monitoring and troubleshooting network connectivity

initiating the Configuration mode

Configuration Mode

The Configuration mode is the mode in which users can change the device

configuration.

To enter this mode from Operational mode, use the config terminal

command.

3180#config terminal

3180(config)#

The Configuration mode has various sub-modes for configuring the different

device features.


30/349

Installation Guide


Application Mode

The application mode is the mode in which users can configure and manage

SecFlow-2 extended features as VPN ,Gateway ,Serial services and Firewall.

3180#application connect

Entering character mode

Escape character is '^]'.

RADiFlow Application ModuleWelcome to Radiflow industrial CLI

[/]

Committing Configuration Commands

The commands executed in the Configuration mode are applied to the devices

active configuration (the running configuration file) immediately upon entry.

These commands are applied to a copy of the active configuration.

The configuration made by the user can be saved in the Flash and can be

restored when the switch is started.

3180# write startup-config

Using the CLI

Command Keywords and Arguments

A CLI command is built up of a series of keywords and arguments:

Keywords identify the commands action

Arguments specify the commands configuration parameters

The CLI commands are not case sensitive.

The general CLI syntax is represented by the following format:

3180[(config- ...)]#keyword(s) [argument(s)] ... [keyword(s)]

[argument(s)]

In this format

3180[(config ...)]#

represents the prompt displayed by the device. This prompt includes:

the user-defined 3180

the current CLI mode

the command keywords and arguments typed by the user

Minimum Abbreviation

The CLI accepts a minimum number of characters that uniquely identify a

command; therefore abbreviations for commands and parameters can be used as

long as they contain enough letters to differentiate them from any other

available commands or parameters in the specific CLI mode.

In case of an ambiguous entry (when the CLI mode includes more than one

command matching the characters typed), the system prompts for further input.


31/349

Installation Guide


Dynamic Completion of Commands

In addition to the Minimum Abbreviation functionality, the CLI can display the

commands possible completions.

To display possible command completions, type the partial command followed

immediately by or .

In case the partial command uniquely identifies a command, the CLI displays thefull command.

Otherwise the CLI displays a list of possible completions.

Getting Help

To get specific help on a command mode, keyword, or argument, use one of the

following commands or characters:

Command Purpose

hel p Provides a brief description of the help system in any

command mode.

abbr evi at ed- command

To display a commands possible completions, type the

partial command followed immediately by or

.

If the partially typed command uniquely identifies a

command, the full command name is displayed. Otherwise,

the CLI displays a list of possible completions:

command?

or

abbr evi at ed- command?

(Leave no space between the command and ?) Provides a

list and description of commands that begin with a

particular string:

? Lists all commands available in the current command mode.

4.8 Setup and Maintenance

CLI over Secure Shell (SSH) and Telnet

After the initial device IP configuration, the device can be managed remotely via

SSH or Telnet.

Establish In Band management

Follow bellow configuration example for establishing management on a certain

port/s using designated VLAN and IP.

1. Enable the required ports


32/349

Installation Guide


interface fastethernet 0/1

no shutdown

switchport pvid 10

map switch default

exit

interface fastethernet 0/2

no shutdown

switchport pvid 10map switch default

exit

2. Create your VLAN and assign ports. Port 0/1 is configured as untagged ,0/2 as

tagged

Config

vlan 10

ports fastethernet 0/1-2 untagged fastethernet 0/1

exit

Create the IP interface to the vlan

interface vlan 10

shutdown

ip address 192.168.0.100 255.255.255.0no shutdown

end

write startup-config

Telnet

The device can be accessed from any platform using a Telnet application. To

connect to the device enter the IP address of the device along with the username

and password.


33/349

SecFlow-2

Ruggedized SCADA-

Aware EthernetSwitch/Router

User Guide


34/349



Chapter 1

Introduction

The SecFlow Ruggedized SCADA-aware Industrial Ethernet switches, combine a

ruggedized Ethernet platform with a unique application-aware processing engine.

As an Industrial Ethernet switch the SecFlow switches provide a strong Ethernet

and IP feature-set with a special emphasis on the fit to the mission-critical

industrial environment such as fit to the harsh environment, high reliability and

network resiliency.

In addition the SecFlow switches have unique service-aware capabilities that

enable an integrated handling of application-level requirements such as

implementation of security measures.

Such an integrated solution results in a simple network architecture with anoptimized fit to the application requirements.

1.1 Key Features

The SecFlow-2 device offers the following features:

Wire speed, non-blocking Layer 2 switching

Compact systems with flexible ordering options of interfaces type /quantity

Advanced Ethernet and IP feature-set

Integrated Defense-in-Depth tool-set

Ethernet and Serial interfaces

Fit to harsh industrial environment

Supported by a dedicated industrial service management tool (iSIM)


35/349



1.2 Using This Document

Documentation Purpose

This user guide includes the relevant information for configuring the SecFlow-2

functionalities.It provides the complete syntax for the commands available in the currently-

supported software version and describes the features supplied with the device.

For more information regarding the device installation, refer to the Installation

and Maintenancechapter.

For the latest software updates, see the Release Notes for the relevant release.

If the release notes contain information that conflicts with the information in the

user guide or supplements it, follow the release notes' instructions.

Intended Audience

This user guide is intended for network administrators responsible for installing

and configuring network equipment.

Users must be familiar with the concepts and terminology of Ethernet and local

area networking (LAN) to use this User Guide.

Documentation Suite

This document is just one part of the full documentation suite provided with this

product.

You are: Document Function Function

Installation Guide Contains information about installing the hardware and

software; including site preparation, testing, and safety

information.

User Guide Contains information on configuring and using the

system.

Release Notes Contains information about the current release, including

new features, resolved issues (bug fixes), known issues,

and late-breaking information that supersedes

information in other documentation.

The table below explains the conventions used within the document text:

Conventions Description

commands CLI and SNMP commands

command example CLI and SNMP examples

user-defined variables

[Optional Command Parameters] CLI syntax and coded examples


36/349




37/349



Chapter 2

System

2.1 Command Line Interface

The CLI (Command Line Interface) is used to configure the SecFlow-2 from aconsole attached to the serial port of the switch or from a remote terminal usingTELNET. The following table lists the generic CLI command modes.

Table 3-1: Command Line Interface

Command Mode Access Method Prompt Exit Method

User EXEC This is the initial mode tostart a session.

3180> The logout method isused.

Privileged EXEC The User EXEC mode

command enable is used to

enter the Privileged EXEC

mode.

3180# To return from the

Privileged EXEC mode

to User EXEC mode,

the disable command

is used.

Global Configuration The Privileged EXEC mode

command configure terminal

is used to enter the Global

Configuration mode.

3180( conf i g) # To exit to the

Privileged EXEC mode,

the end command is

used.

Interface

Configuration

The Global Configuration

mode command interface

is used to enter the

Interface configuration

mode.

3180( conf i g- i f ) # To exit to the Global

Configuration mode,

the exit command is

used and to exit to

the Privileged EXEC

mode, the end

command is used.

Config-VLAN The Global configuration

mode command vlan vlan-id

is used to enter the Config-

VLAN mode.

3180( conf i g- vl an) # To exit to the Global

Configuration mode,

the exit command is

used and to exit to

the Privileged EXEC

mode, the end

command is used.


38/349



2.2 CLI Pagination

Some show commands for example might produce a long output. By default ,the

output will be interrupted after every screen length pending with the notice

more to continue.

Options

Pressing the ENTER key will progress the output by a single line.

Pressing the SPACE key will progress the output by a screen length.

Pressing the Q key will interrupt the output entirely.

Turning CLI pagination on/off iss available with following command:

3180(config)# set cli pagination on

3180(config)# set cli pagination off

An output example of a show command with pagnation set to on:

3180# show running-config

#Building configuration...

snmp trap syslog-server-status

!

no smtp authentication

!

!

queue 1 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1

queue-type unicast

!

queue 3 interface fastethernet 0/1 qtype 1 scheduler 1 weight 1

priority 2 queue

-type unicast

!

--More

2.3 Configuring the Switch

Default State of Configuration

The default configuration of the switch as when depart from the factory is held in

a file called nvram.txt.

This executable comes up with a VLAN configured. This VLAN is called the default

VLAN (VLAN ID = 1). All ports in the switch are members of the default VLAN.


39/349



Configuration Database

By default User configuration is saved in a file called 3180.conf. Configuration

saved in this file will be available at system startup. If this file is deleted ,the

system will boot with the 3180nvram.txtfile holding factory configuration.

User Configuration is taking effect immediately upon entering. No specific

COMMIT command is required.The user can as well save his running configuration in a file with a chosen name

for backup and boot the system with this file when needed.

Multiple running configuration files can be saved with different names locally on

the flash or at an TFTP /SFTP server.

However ,configuration which will not be saved as below example ,will not be

available following system reboot.

User configuration is saved (to the 3180.conf) using the following command

3180# write startup-cfg

Building configuration ...

[OK]

Removing all user configuration and setting the switch to its factory defaults is

done by erasing the 3180.conf with the following command

3180# delete startup-config

3180# reload

3180.conf and 3180nvram .txt files are not accessible for the user to do file

operations on copy ,rename and such)

Command Hierarchy+ Rootwr i t e st ar t up- cf gdel et e start up- conf i g+ Conf i g termi nali ncrement al - save { enabl e | di sabl e }aut o-save t r i gger { enabl e | di sabl e }show nrm

Command Description

incremental-save

{ enable | disable }

Enable : Enables the incremental save feature

Disable : Disables the incremental save feature.Default : enable

aut o- save t r i gger

{ enabl e | di sabl e }

Enable : Enables the auto save trigger function.

Disable : Disables the auto save trigger

function.

Default : disable

Note


40/349



System Version and Running Configuration files

OS VERSION

Updating of system version is available by SFTP server and via the USB port.

Available OS files on the switch can be seen with command showed below.

Running OS file is marked with active.

Upgrading system OS from a USB drive is done under safe mode interface.

Running Configuration

The user can save his running configuration to a file with a chosen name for

backup and boot the system with this file when needed.

Multiple running configuration files can be saved with different names locally on

the flash or at an TFTP /SFTP server.

It is as well possible to import /export a running configuration file to a USB drive.

Command Hierarchy

+ Root- os- i mage show- l i st- os- i mage act i vat e f l ash: - os- i mage del ete f l ash: - os- i mage downl oad- sw sf t p: / / user: password@aa. bb. cc. dd/ f i l e_name- os- i mage downl oad- sw t f t p: / / aa. bb. cc. dd/ f i l e_name- st ar t up- conf i g {i mpor t | expor t }

[ f l ash: |sf t p: / / user : password@aa. bb. cc. dd/ |t f t p: / / aa. bb. cc. dd/ ]

- l ogs- expor t [ f l ash: |sf t p: / / user : password@aa. bb. cc. dd/ |

t f t p: / / aa. bb. cc. dd/ ]

start up- conf i g show f i l es

- r el oad

System must be rebooted following activation of a new OS image fileNote


41/349



Examples

Display Available OS Files

3180# os-image show-list

Versions list:

RF_3180_3.1.00.09.tar (active)

RF_3180_3.1.00.12.tar

Activating OS File

(will automatically reboot the device)

3180# os-image activate flash:RF_3180_3.1.00.12.tar


Versions list:

RF_3180_3.1.00.09.tar

RF_3180_3.1.00.12.tar (active)

Deleting Unneeded OS Files

3180# os-image delete flash:RF_3.1.00.09.tar


Versions list:

RF_3180_3.1.00.12.tar (active)

3180#

Downloading OS File from SFTP Server

Command syntax:

3180# os-image download-swsftp://user:[email protected]/file_name

Example:

3180# os-image download-swsftp://rad:[email protected]/RF_3180_3.1.00.12.tar

Exporting Configuration Database to SFTP Server

Command syntax:

3180# startup-config exportsftp://user:[email protected]/file_name.

Example:3180# startup-config exportsftp://rad:[email protected]/config_january13

2.4 Safe Mode

The system has two safe mode menus available.


42/349



To access safe mode ,connect to the switch via console cable ,reboot the unit

and interrupt the boot process at the safe mode prompt.

The first Safe mode is used for approved technician only and should not be used

unless specified by SecFlow. This safe mode state is available at the prompt

For safe mode Press 's'...

The second safe mode is accessible at the following prompt:

##########################

For safe mode Press 's'...

##########################

Below screenshot details the 2 safe mode menus and their options for:

1. system reset

2. Load the factory-default configuration for the device

3. Write to EEPROM (should be used only after consulting with SecFlow)

4. Recover the device's images from a package file

5. Export / Import DB (running configuration)


43/349



SW Image Upgrade and Recovery

In this sub menu the user can handle system version update ,activatationn or

restore.

Example for OS Image Update from a USB Stored File

Follow below steps as an example of uploading a desired OS image stored on a

local USB key and activating it.


44/349




45/349



SW Image Upgrade and Recovery

In this sub menu the user can handle the running configuration backup and

restore

2.5 System Commands

The list of CLI commands for the configuration of System commands is as follows:


46/349



+Root

- Help

- clear screen

- enable

- disable

- configure terminal / configure

- run script

- listuser- lock

- username

- enable password

- line

- access-list provision mode

- access-list commit

- exec-timeout

- logout

- end

- exit

- show privilege

- show line

- show aliases- show users

- show history

Command Description

Help [command] This command displays a brief description for

the given command.

To display help description for commands with

more than one word, do not provide any space

between

the word

clear screen clears all the contents from the screen.

Enable [ Enable Level] This command enters into default level

privileged mode.

If required, the user can specify the privilege

level by enabling level with a password (login

password) protection to avoid unauthorized

user.

Disable [ Enable Level] This command turns off privileged commands.

The privilege level varies between 0 and 15. This

value should be lesser than the privilege level

value given in the enable command.

configure [terminal] Enters configuration mode.

run script This command runs CLI commands from the

specified script file.

listuser This command lists all the default and newly

created users, along with their permissible

mode.


47/349



Command Description

Lock This command locks the CLI console. It allows

the user/system administrator to lock the

console to prevent unauthorized users from

gaining access to the CLI command shell. Enter

the login password to release the console lock

and access the CLI command shell.

username This command creates a user and sets the

enable password for that user with the privilege

level.

alias - replacement string This command replaces the given token by the

given string and the no form of the command

removes the alias created for the given string.

access-list commit This command triggers provisioning of active

filter rules to hardware based on configured

priority. This command is applicable only when

provision mode is consolidated. Traffic flowwould be impacted when filter-rules are

reprogrammed to hardware.

logout This command exits the user from the console

session. In case of a telnet session, this

command terminates the session.

end Exists the configuration mode

exit Exists the current config location to one step up

in the root

show privilege This command shows the current user privilege

level

show line This command displays TTY line information

such as EXEC timeout

show aliases This command displays all the aliases

show users This command displays the information about

the current user.

show history This command displays a list of recently

executed commands

2.6 System Features

Following cli commands allows configuration of system generic parameters


48/349



+ Root

+ Config terminal

default mode

default restore-file

default vlan id

default ip address

ip address

switchportdefault ip address allocation protocol

ip address - rarp/dhcp

base-mac

login authentication

login authentication-default

authorized-manager ip-source

ip http port

set ip http

archive download-sw

interface-configuration and deletion

mtu frame size

system mtu

loopback localbridge port-type

system-specific port-id

set custom-param

mac-addr

snmp trap link-status

write

copy

copy startup-config

copy running-config startup-config

copy logs

firmware upgrade

copy fileclock set

erase

cli console

flowcontrol

tunnel mode

tunnel checksum

tunnel path-mtu-discovery

tunnel udlr

shutdown - physical/VLAN/port-channel/tunnel Interface

debug interface

debug-logging

incremental-save

auto-save trigger

rollback

shutdown ospf | ospf3 | bgp | isis

start ospf | ospf3 | bgp | isis

set switch maximum threshold

set switch temperature threshold

set switch power threshold

mac-learn-rate

system contact

system location


49/349



clear interfaces counters

clear counters

show ip interface

show authorized-managers

show interfaces

show interfaces counters

show system-specific port-id

show custom-paramshow interface mtu

show interface bridge port-type

show nvram

show env

show system information

show flow-control

show debug-logging

show debugging

show clock

show running-config

show http server status

show system acknowledgement

show mac-learn-rateport-isolation in_vlan_ID

show port-isolation

private-vlan mapping

set timer speed

set front-panel port-count

audit-logging

audit-logging filename

audit-logging filesize

audit-logging reset

default rm-interface

vrf unq-mac

show config logmemtrace

show memtrace status

show mempool

hol blocking prevention

management vlan-list

internal-lan

show internal-lan

show iftype protocol deny table

clear line vty

tunnel hop-limit

tunnel hop-limit

login block-for

audit-logging logsize-threshold

feature telnet

show telnet server

show audit

set http authentication-scheme

set http redirection enable

http redirect

show http authentication-scheme

show http redirection


50/349



2.7 System Features Table

Command Description

default mode This command configures the mode by which

the default interface gets its IP address.

default restore-file

default vlan id

default ip address This command configures the IP address and

subnet mask for the default interface.

ip address This command sets the IP address for an

interface. The no form of the command resets

the IP address of the interface to its default

value.

switchport

default ip address allocation protocol This command configures the protocol used by

the default interface for acquiring its IP address.

ip address - dhcp configures the current VLAN interface to

dynamically acquire an IP address from a DHCP

server.

login authentication This command configures the authentication

method for user logins for accessing the GUI to

manage the switch.

login authentication-default configures the authentication method for user

logins for accessing the GUI to manage the

switch.

authorized-manager ip-source This command configures an IP authorized

manager and the no form of the command

removes manager from authorized managers

list.

ip http port This command sets the HTTP port. This port is

used to configure the router using the Web

interface. The value ranges between 1 and

65535. The no form of the command resets the

HTTP port to its default value.

set ip http This command enables/disables HTTP in theswitch.

archive download-sw This command performs an image download

operation on a switch stack or on a standalone

switch to download a new image from a TFTP or

SFTP from a remote location, to the switch and

to overwrite or keep the existing image.


51/349



Command Description

mtu frame size configures the maximum transmission unit

frame size for all the frames transmitted and

received on all the interfaces in a switch.

snmp trap link-status enables trap generation on the interface. The

no form of this command disables trapgeneration on the interface.

clock set This command manages the system clock.

Delete startup-config This command clears the contents of the

startup configuration

cli console This command enables the console CLI through

a serial port. The no form of the command

disables console CLI.

flowcontrol set the send or receive flow-control value for an

interface

[no] shutdown - physical/VLAN/port interface This command disables/enables a physical

interface / VLAN interface / port-channel

interface

debug interface This command sets the debug traces for all the

interfaces. The no form of the command resets

the configured debug traces.

debug-logging This command configures the displays of debug

logs. Debug logs are directed to the console

screen or to a buffer file, which can later be

uploaded, based on the input.

incremental-save This command enables/disables the incremental

save feature

auto-save trigger This command enables / disables the auto save

trigger function.

Rollback { enable | disable } This command enables/disables the rollback

function.

set switch maximum threshold This command sets the switch maximum

threshold values of RAM, CPU, and Flash

set switch temperature threshold This command sets the maximum and minimum

temperature threshold values of the switch in

celcius.

mac-learn-rate configures the maximum number of unicast

dynamic MAC (L2) MAC entries hardware can

learn on the system

system contact

system location

clear interfaces counters


52/349



Command Description

clear counters

show ip interface

show authorized-managers

show interfaces

show interfaces counters

show system-specific port-id

show custom-param

show interface mtu

show interface bridge port-type

show nvram This command displays the current information

stored in the NVRAM.

show env This command displays the status of the all the

resources like CPU, Flash and RAM usage, and

also displays the current, power and

temperature of the switch.

show system information This command displays system information.

show flow-control

show debug-logging

show debugging

show clock

show running-config

show http server status

show system acknowledgement

show mac-learn-rate

port-isolation in_vlan_ID

show port-isolation

private-vlan mapping

set timer speed

set front-panel port-count

audit-logging

audit-logging filename

audit-logging filesize

audit-logging reset



53/349



Command Description

vrf unq-mac

show config log

memtrace


show mempool



internal-lan

show internal-lan


clear line vty

tunnel hop-limit

tunnel hop-limit

login block-for


feature telnet

show telnet server

show audit



http redirect



audit-logging reset


vrf unq-mac

show config log

memtrace


show mempool



internal-lan


54/349



Command Description

show internal-lan


clear line vty

tunnel hop-limit

tunnel hop-limit

login block-for


feature telnet

show telnet server

show audit



http redirect



audit-logging reset


vrf unq-mac

show config log

memtrace


show mempool



internal-lan

show internal-lan


clear line vty

tunnel hop-limit

tunnel hop-limit

login block-for


feature telnet


55/349



Command Description

show telnet server

show audit



http redirect



audit-logging reset


vrf unq-mac

show config log

memtrace


show mempool



internal-lan

show internal-lan


clear line vty

tunnel hop-limit

tunnel hop-limit

login block-for


feature telnet

show telnet server

show audit



http redirect



audit-logging reset


56/349



Command Description


vrf unq-mac

show config log

memtrace


show mempool



internal-lan

show internal-lan


clear line vty

tunnel hop-limit

tunnel hop-limit

login block-for

2.8 Command Hierarchy

+ Root

+ config terminal

- set switch maximum { RAM | CPU | flash } threshold

- set switch temperature {min|max} threshold }

- Show interfaces

- Show nvram

- show system information

- show env {all | temperature | fan | RAM | CPU | flash | power}

- show running-config[{ syslog | dhcp | dhcp6 | | qos | stp |

la | pnac | igs vlan ] | | vlan } | ospf | rip | |ipv6 | |

ssh | ssl | acl | ip | vrrp | snmp | radius | rmon | ospf3 |

igmp | eoam| igmp-proxy| route-map | tacacs | qosxtd | tac |sntp | entity-mib |http | lldp |ip http }]

2.9 Running a Text Script

The user can edit and run a text cli file.


57/349


58/349



Chapter 3

Ports

3.1 Introduction

Depending on the SecFlow-2 hardware variant ordered your switch will hold

physical Ethernet and Serial ports.

Serial ,RJ 45 ports, are RS-232 supporting. Max 4 ports

Ethernet RJ45 copper ports are 10/100 FE. Max 16 ports

Ethernet SFP based ports are 100/100 FE. Max 8 ports.

Ethernet SFP based ports are 100/1000 GbE. Max 2 ports.

Graphical view of system Interfaces

3.2 Port Interfaces

Introduction

Depending on the hardware variant ordered your switch will hold physical

Ethernet and Serial ports.


59/349



Serial ,RJ 45 ports, are RS-232 supporting. Max 4 ports

Ethernet RJ45 copper ports are 10/100 FE. Max 16 ports

Ethernet SFP based ports are 100/100 FE. Max 8 ports.

Ethernet SFP based ports are 100/1000 GbE. Max 2 ports.

C Cellular interface

CEL1 with dual SIM GPRS/UMTS modem

3.3 Managing Ports

A Logical View of Ports

Below screen shots shown the available typical ports of a SecFlow-2 with 8

Ethernet ports.

The RS 232 ports are configured and identified within the application CLI mode

and are not seen at show vlan. See chapter Serial Interfaces for more

information.

Enabling Ports

In order to be accessible ,the required interfaces must be activated. This is done

using the no shutdown command.

Example of enabling port interface number 9

Note


60/349



3180(config)# interface gigabitethernet 0/9

3180(config-if)# no shutdown

3180(config-if)# end

3180# write startup-cfg

Only the interfaces that are operationally up can be used in tests.

The show interfaces command displays the complete information of all availableinterfaces.

Special Ports

Port Fastethernet 0/9 is designated for internal system functions and should not

be addressed by the user unless specifically mentioned in a configuration setup

of feature in this manual.

This port properties should not be changed from its default state.

Port Fastethernet 0/10 is a unique port in its purpose. This is not a user port but

an internal system port designated to map serial traffic to the SecFlow internal

processing unit.

The port will be an untagged member of the system vlan 4092 which will as well

be its PVID.

The use of this port should be made in accordance to configuration instructions

givven in relevant chapters of this manual.

Ports Gigabitethernet 0/3 and Gi 0/4 are as well unique ports. These are internal

system ports used for directing traffic to the Application aware firewall and

services.

These ports are similar in their purpose to the commonly known 1/3/1 and 1/3/2

of the 3080 and 3700 SecFlow series.The use of these ports should be made in accordance to configuration

instructions given in relevant chapters of this manual.

POE Ports

Depending on your hardware variant POE ports might be applicable.

Hardware supporting POE is named:

When ordering SecFlow-2 with PoE - hardware includes 8 POE support on the FEEthernet ports 1-8. All POE ports are wired as Alternative-A (PoE runs on the FEtwisted pairs)

When ordering SecFlow-2 with two PoE ports for Airmux - hardware includes 8POE support on the FE Ethernet ports 1-8. Ports 2 and 8 are wired as alternative-B (PoE runs on the spare twisted pairs)

When ordering SecFlow-2 with four PoE ports for Airmux - hardware includes 8POE support on the FE Ethernet ports 1-8. Ports 2,4,6,8 are wired as alternative-B (PoE runs on the spare twisted pairs)

Note


61/349



Power Management of POE

1. The 8 POE ports supports in total maximum power output of:

1. For 24Vdc powered units: 80w


3. For AC powered units: 120w

2. The 8 POE ports divided to 2 groups ,each group supports maximum power

output of:



6. For AC powered units: 60w

7. The group division is as follows: Group 1: p1,p2,p3,p6

Group 2: p4,p5,p7,p8

Modes of POE

Alternative-A wired ports will supply POE power on demand. A non-POEequipment connected to such port is protected as it will not receive power overthe Fast Ethernet communication lines.

Alternative-B wired ports will supply POE power constantly (forced mode) whenenabled.

Alternate-B POE ports work in forced mode and provides constant power on thetwisted pair lines. Make sure to connect only adequate equipment to these ports

POE command Hierarchy

+ Root

+ conf i g t er mi nal

Caution


62/349



+ i nt erf ace

- poe f orce- mode {f or ce | det ect}

- poe admi n- st atus {enabl e | di sabl e}

- show poe- st at us por t

POE Commands

Command Description

Config terminal

Interface Enter the specific Interface.

only fastethernet ports are applicable.

Permissible values : Fastethernet

Poe Shutdown : port is POE enabled.

No shutdown : port is POE disabled.

poe poe-power Detect : POE will be available only upon

negotiation with a POE connected load device.

Manual : POE will be available constantly.

Caution : connect only POE capable load

devices to ports which are in Force mode.

Note : ports which are hardware Alternate-B

must be in manual mode.

show poe-status port Show the POE state of the port.

Port number is in the range 1-8 ,relating to

fastethernet 1-8.

Controlling Ports

Storm Control

Sets the storm control rate for broadcast, multicast

Rate Limit Output

Enables the rate limiting and burst size rate limiting by configuring the egress

packet rate of an interface and the no form of the command disables the rate

limiting and burst size rate limiting on an egress port

3.4 Port Command Hierarchy

+ Root

+ conf i g t ermi nal

+ i nt erf ace


63/349



- [no] descri pt i on DESCRI PTI ON

- [no] speed ( 10 | 100 | 1000 | aut o)

- [no] dupl ex (auto | f ul l | hal f )

- [no] swi t chpor t pvi d

- [no] syst em- speci f i c por t - i d

- [ no] snmp t r ap l i nk- st at us- f l owcont r ol ( r ecei ve | send) ( desi r ed | on | of f )

- mt u

- [no] shutdown

- [ no] st or m- cont rol { br oadcast | mul t i cast | dl f } l evel

- [no] r at e- l i mi t out put [ rate- l i mi t] [burst- l i mi t]

- swi t chpor t uni cast - mac l ear ni ng l i mi t

- swi t chpor t uni cast - mac l ear ni ng { enabl e | di sabl e }

cl ear i nt erf aces [ ] count erscl ear count er s [ ]- Show i nt er f aces [ ] [ vl an ]- Show i nt erf aces - show i nt er f ace mt u- show i nt erf aces st at us- show i nt er f aces count er s- show i nt erf aces capabi l i t i es- show vl an por t conf i g [ port ] - show r unni ng- conf i g i nt er f ace

3.5 Command Description

Command Description

Conf i g t er mi nal

I nter f ace


64/349



Command Description

mt u f r ame si ze This command configures the maximum

transmission unit frame size for all the frames

transmitted and received on all the interfaces in

a switch. The size of the MTU frame size can be

increased using this command. The value ranges

between 90 and 9216.

This value defines the largest PDU that can be

passed by the interface without any need for

fragmentation. This value is shown to the

higher interface sub-layer and should not

include size of the encapsulation or header

added by the interface. This value represents

the IP MTU over the interface, if IP is operating

over the interface.

Note: Any messages larger than the MTU are

divided into smaller packets before transmission

Default : 1500

syst em- speci f i c port - i d This command configures the system specific

index for the port. It provides a different

numbering space other than the IfIndex to

identify ports. The value ranges between 1 and

16384.

Default : 0.

[ no] snmp tr ap l i nk- st at us This command enables trap generation on the

interface. The no form of this command

disables trap generation on the interface.

The interface generated linkUp or linkDowntrap. The linkUp trap denotes that the

communication link is available and ready for

traffic flow. The linkDown trap denotes that the

communication link failed and isnot ready for

traffic flow.

Default : enable

f l owcont r ol

{ send | r ecei ve}Send: Sets the interface to send flow control

packets to a remote device

Receive: Sets the interface to receive flowcontrol packets from a remote device


65/349



Command Description

{ on | of f| desi r ed}

On

: If used with receive allows an interface to

operate with the attached device to send flow

control packets .If used with send the interface

sends flowcontrol packets to a remote device if

the device supports it

Off

: Turns-off the attached devices (when used

with receive) or the local ports (when used with

send) ability to send flow-control packets to an

interface or to a remote device respectively

Desired

: Allows a local port to operate with an

attached device that is required

to send flow control packets or that may send

the control packets,

when used with receive option.

Allows the local port to send administrative

status to a remote device if the remote device

supports it, when used with send option.

st or m- cont r ol sets the storm control rate for broadcast,

multicast and DLF packets

broadcast- Broadcast packets

multicast

- Multicast packets

dlf- Unicast packets

level- Storm-control suppression level as a total

number of packets per second.rate- l i mi t out put rate-value - Line rate in kbps

burst-value- Burst size value in kbps

cl ear i nt er f aces [ ] counter s

clears all the current interface counters from

the interface

3.6 GPRS/UMTS Interface

Overview

An important benefit of the SecFlow portfolio is its support of variety of medium

product manual 225

Documents